K
Q

Uploading file to third party server with IP range filtering from Google Container Engine?

4/14/2016

We need to upload reports from a pod deployed on Kubernetes on Google Container Engine to a third party server that is protected by a firewall that enforce IP range filtering. Google’s IP range is dynamic (see here) so I cannot tell their operations team to simply open up a fixed IP range. How can we work around this?

-- Johan
google-cloud-platform
google-kubernetes-engine

Similar Questions

How to expose kubernetes service from bare metal cluster
Setting CloudProvider after installation
Google Load Balancer not passing traffic to back end
How to expose my pod to the internet and get to it from the browser?

1 Answer

4/18/2016

Since VMs have static IPs over their lifetime, you could provision a "bastion" VM in your project and use it to tunnel your uploads:

  1. Whitelist the external IP for the bastion machine in the third party server.
  2. Configure a proxy on the bastion machine to forward requests from your pod to the third party server (ignoring requests that aren't coming from IP addresses that are in your cluster's address range).
  3. Point your report uploader at the IP of the bastion machine.

This leaves the bastion as a single point of failure, so if you wanted some redundancy you could set up a few of them (in different regions).

-- Robert Bailey
Source: StackOverflow